By David Soto Dalmau (ERNI Spain)
In highly regulated industries such as pharma and MedTech, cybersecurity is not a feature that can be added at the end of a project. It is a fundamental system property. Software must not only function reliably; it must also be secure, traceable, validated and defensible during audits.
According to industry data, the global average cost of a data breach exceeded $4.6 million in 2025, with regulated sectors such as healthcare experiencing some of the highest financial impacts – underscoring the importance of building security into the software development lifecycle rather than treating it as an afterthought.
At ERNI, our cybersecurity services did not emerge as a standalone offering. They evolved from years of engineering software in regulated and complex environments. Working in domains shaped by standards such as ISO 13485 and IEC 62304 has shaped how we think about security: as an integral part of system design and software development.
Cybersecurity starts with software engineering
Our approach does not start from monitoring or SOC (security operations centres) activities. It starts from software engineering. We see security as a property of the system that must be designed, implemented, validated and properly documented. Based on that mindset, our cybersecurity offering is structured around three main areas.
Secure development end-to-end
The first area is secure development end-to-end. We support teams from the earliest design phases, working with threat modelling, risk assessments and secure architecture design. We use tools such as Data Flow Diagrams (DFDs) to identify attack surfaces and define mitigation strategies early. We integrate security controls and automation into CI/CD pipelines so that security becomes part of the development workflow rather than a late-stage checkpoint. The goal is to reduce structural vulnerabilities before production and ensure traceability aligned with regulated environments.
Offensive cybersecurity: Testing systems realistically
The second area is offensive cybersecurity. We provide pentesting and vulnerability assessments for applications, APIs and integrated software systems. We evaluate how systems could realistically be exploited, identify technical weaknesses and propose concrete remediation measures. Our added value is that we do not only report findings – we understand how the system was built and recommend mitigation strategies that are technically viable and architecturally sound. This allows teams to fix issues effectively and sustainably.
Regulatory support for cybersecurity compliance
The third area is regulatory support related to cybersecurity. In regulated sectors, being secure is not enough – security must be demonstrable. We help translate regulatory requirements into implementable technical controls, support documentation aligned with applicable standards, and assist in preparing audit evidence. We bridge the gap between regulatory language and technical implementation, ensuring that compliance is grounded in real engineering practices rather than purely documentation-based exercises.
Integration makes the difference
This integrated model is what positions ERNI as a strong partner in this field. We do not treat cybersecurity as an isolated service. Instead, it is a natural extension of our expertise in engineering complex software systems. We combine secure design, offensive validation and regulatory alignment within a coherent technical framework.
For our clients, this means working with a partner that understands the full software lifecycle – from architecture to audit – and that integrates security into development rather than adding it at the end.
For us as an organisation, it formalises something that has long been part of our culture: responsible engineering, structured processes, and alignment with real-world regulatory and technical requirements.
